Static analysis-based tracking of data in access-controlled systems
First Claim
Patent Images
1. A computer-implemented method, comprising:
- receiving source code including at least a set of service calls associated with a first set of data stores and a second set of data stores; and
identifying data based at least in part on one or more data variable identifiers of the data to perform static analysis mapping of data flow to generate a data flow map, the data flow map indicating movement of data among the first set of data stores and the second set of data stores, the performance of the static analysis comprising;
obtaining an access control policy that specifies enforcement of an access restriction of a service that causes the exchange of data between a subset of the first set of data stores and a subset of the second set of data stores;
evaluating the source code, based at least in part on the access control policy and one or more data variable identifiers of a data portion, to determine whether the access control policy is violated, wherein evaluating the source code includes parsing service calls made by the source code indicating movement of the data portion from one data store location to another;
updating, based on the evaluation, the data flow map to indicate that the data portion is provided from the first data store of the first set of data stores to the second data store of the second set of data stores; and
using the updated data flow map to identify the location of the data portion and determine whether the data portion was provided from the first data store to the second data store correctly.
1 Assignment
0 Petitions
Accused Products
Abstract
Method and apparatus for identifying a flow of data from a first data store to a second data store are disclosed. In the method and apparatus, a service may send the data from the first data store to the second data store, whereby the service may be associated with an access control policy that specifies whether the service is permitted to send or receive the data. The access control policy may be used as a basis for the evaluation of executable instructions of the service, and evaluation of the executable instructions may be used to identify the first data store or the second data store.
66 Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
receiving source code including at least a set of service calls associated with a first set of data stores and a second set of data stores; and identifying data based at least in part on one or more data variable identifiers of the data to perform static analysis mapping of data flow to generate a data flow map, the data flow map indicating movement of data among the first set of data stores and the second set of data stores, the performance of the static analysis comprising; obtaining an access control policy that specifies enforcement of an access restriction of a service that causes the exchange of data between a subset of the first set of data stores and a subset of the second set of data stores; evaluating the source code, based at least in part on the access control policy and one or more data variable identifiers of a data portion, to determine whether the access control policy is violated, wherein evaluating the source code includes parsing service calls made by the source code indicating movement of the data portion from one data store location to another; updating, based on the evaluation, the data flow map to indicate that the data portion is provided from the first data store of the first set of data stores to the second data store of the second set of data stores; and using the updated data flow map to identify the location of the data portion and determine whether the data portion was provided from the first data store to the second data store correctly. - View Dependent Claims (2, 3, 4)
-
-
5. A system comprising:
memory to store instructions that, as a result of being executed by one or more processors of the system, cause the system to; for a computing system having a set of access privileges that specifies enforcement of an access restriction of a service that causes the exchange of data between a source and a destination, generate an evaluation of one or more instructions by parsing a call tree of a set of service calls to identify data movement based at least in part on one or more variable names associated with the data of the computer system, to determine whether the computer system causes data to be sent from the source to the destination, the evaluation being performed based at least in part on the set of access privileges and one or more variable names associated with the data, and the evaluation including information, based at least in part on whether the access privileges are violated, indicating a flow of data among the source, the destination, and the computing system; and perform one or more operations based at least in part on the evaluation to determine whether the data exchanged between the source and destination was performed correctly. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
13. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
identify a destination for a data portion to generate an identification, generating the identification including obtaining an access control policy that specifies enforcement of an access restriction of a service that causes the exchange of data between a source and a destination and evaluating computer system code by parsing a service call to a service indicating movement of the data portion, based at least in part on one or more data variable identifiers and the access control policy to determine whether the access control policy is violated, the computer system code retrieving the data portion from the source and providing the data portion to the destination for use; generate a mapping indicating transmission of the data portion from the source to the destination based at least in part on the identification and the evaluation; and use the mapping to determine whether the data portion is provided correctly. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification